Some of our Zimbra customers are complaining for authenticated user can customizing FROM header which can lead to fraud email. this issue can be reproduce by using thunderbird once compose an email as following picture.
or by using this script, change variables username, password, fake_from and to_addr based on your environment.
I created customized milter engine using python milter library for my workaroud with following features:
- the filter triggered when “MAIL FROM:” in smtp command is not match with “FROM:” email’s header.
- “MAIL FROM:” and “FROM:” be can allowed as long as it’s account alias, canonical address or catch all address (this can be customized).
- Some exception (whitelist) using regex patterns.
- Allowing sender send as distribution list (if allowed using grants sendAsDistList).
- Daemonized using supervisord
note: Following steps are executed in each your MTA servers.
Some packages dependencies are in EPEL repository, so install it’s repo first
yum install epel-release
yum install python-pymilter python-ldap supervisor git-core
cd /opt git clone https://github.com/iomarmochtar/zmbr_check_sender
Create configuration from template
cd zmbr_check_sender/etc cp config_dist.ini config.ini vim config.ini
Adjust configuration based on your environment, for basic setup just change main.domains for list of domain that will be filtered, ldap.url for ldap your zimbra ldap host and zimbra.pwd for your zimbra ldap admin password that can be seen using command (as zimbra user).
zmlocalconfig -s ldap_root_password
Append supervisord configuration.
cat daemon.ini >> /etc/supervisord.conf
Run the service and make sure it run on boot.
service supervisord start chkconfig supervisord on
You can check using telnet if the service are listed on port 5000.
telnet localhost 5000
Configure zimbra for using it as milter.
su - zimbra zmprov ms `zmhostname` zimbraMtaSmtpdMilters inet:127.0.0.1:5000 zmprov ms `zmhostname` zimbraMilterServerEnabled TRUE zmmtactl restart
Do the test by using thunderbird or script tes_sasl.py in folder test
You can see verbosely what this milter engine do by set configuration main.debug to true then restart the supervisord service.
all activity can be seen by grep it’s name process in mail log.
tail -f /var/log/zimbra.log | grep mail_from_check
This is only my workaround related to this issue, really hope this “hardening” will be default in Zimbra’s builtin milter for preventing fraud email which some of our customer cannot tolerate it.